Loading new certs on calling the admin/reloadconfig endpoint with pre…

…vious thumbprint value Loading new certs on calling the admin/reloadconfig endpoint with previous thumbprint value
EventStore · Jun 14, 2023 · 77c8f66 · 77c8f66
1 parent f8bd926
commit 77c8f66
Show file tree

Hide file tree

Showing 4 changed files with 12 additions and 13 deletions.
diff --git a/src/EventStore.Core/Certificates/CertificateProvider.cs b/src/EventStore.Core/Certificates/CertificateProvider.cs
@@ -5,8 +5,7 @@ public abstract class CertificateProvider {
 		public X509Certificate2 Certificate;
 		public X509Certificate2Collection IntermediateCerts;
 		public X509Certificate2Collection TrustedRootCerts;
-
-		public abstract LoadCertificateResult LoadCertificates();
+		public abstract LoadCertificateResult LoadCertificates(string previousThumbPrint);
 	}
 
 	public enum LoadCertificateResult {

diff --git a/src/EventStore.Core/Certificates/DevCertificateProvider.cs b/src/EventStore.Core/Certificates/DevCertificateProvider.cs
@@ -6,8 +6,7 @@ public class DevCertificateProvider : CertificateProvider {
 			Certificate = certificate;
 			TrustedRootCerts = new X509Certificate2Collection(certificate);
 		}
-
-		public override LoadCertificateResult LoadCertificates() {
+		public override LoadCertificateResult LoadCertificates(string previousThumbPrint) {
 			return LoadCertificateResult.Skipped;
 		}
 	}

diff --git a/src/EventStore.Core/Certificates/OptionsCertificateProvider.cs b/src/EventStore.Core/Certificates/OptionsCertificateProvider.cs
@@ -11,7 +11,8 @@ public class OptionsCertificateProvider: CertificateProvider {
 			_options = options;
 		}
 
-		public override LoadCertificateResult LoadCertificates() {
+		//NEW METHOD IMPLEMENTATION OF LoadCertificates() method TO TRACK PREVIOUS THUMBPRINT
+		public override LoadCertificateResult LoadCertificates(string _previousThumbprint) {
 			if (_options.Application.Insecure) {
 				Log.Information("Skipping reload of certificates since TLS is disabled.");
 				return LoadCertificateResult.Skipped;
@@ -29,7 +30,7 @@ public class OptionsCertificateProvider: CertificateProvider {
 				return LoadCertificateResult.VerificationFailed;
 			}
 
-			var previousThumbprint = Certificate?.Thumbprint;
+			var previousThumbprint = _previousThumbprint;
 			var newThumbprint = certificate.Thumbprint;
 			Log.Information("Loading the node's certificate. Subject: {subject}, Previous thumbprint: {previousThumbprint}, New thumbprint: {newThumbprint}",
 				certificate.SubjectName.Name, previousThumbprint, newThumbprint);
@@ -59,6 +60,8 @@ public class OptionsCertificateProvider: CertificateProvider {
 			return LoadCertificateResult.Success;
 		}
 
+		//END OF NEW IMPLEMENTATION
+
 		private static bool VerifyCertificates(X509Certificate2 nodeCertificate, X509Certificate2Collection intermediates, X509Certificate2Collection trustedRoots) {
 			bool error = false;
 

diff --git a/src/EventStore.Core/ClusterVNode.cs b/src/EventStore.Core/ClusterVNode.cs
@@ -76,7 +76,6 @@ public abstract class ClusterVNode {
 			AuthorizationProviderFactory authorizationProviderFactory = null,
 			IReadOnlyList<IPersistentSubscriptionConsumerStrategyFactory> factories = null,
 			CertificateProvider certificateProvider = null,
-			//OptionsCertificateProvider certificateProvider = null,
 			TelemetryConfiguration telemetryConfiguration = null,
 			Guid? instanceId = null,
 			int debugIndex = 0) {
@@ -122,7 +121,6 @@ public class ClusterVNode<TStreamId> :
 		IHandle<SystemMessage.SystemStart>,
 		IHandle<ClientMessage.ReloadConfig>{
 		private readonly ClusterVNodeOptions _options;
-		//private static readonly ClusterVNodeOptions _options;
 		public override TFChunkDb Db { get; }
 
 		public override GossipAdvertiseInfo GossipAdvertiseInfo { get; }
@@ -196,7 +194,6 @@ public class ClusterVNode<TStreamId> :
 		private readonly CertificateDelegates.ClientCertificateValidator _externalClientCertificateValidator;
 		private readonly CertificateDelegates.ServerCertificateValidator _externalServerCertificateValidator;
 		private CertificateProvider _certificateProvider;
-		//private readonly OptionsCertificateProvider _certificateProvider;	
 		private readonly ClusterVNodeStartup<TStreamId> _startup;
 		private readonly EventStoreClusterClientCache _eventStoreClusterClientCache;
 
@@ -231,7 +228,6 @@ public class ClusterVNode<TStreamId> :
 			IReadOnlyList<IPersistentSubscriptionConsumerStrategyFactory>
 				additionalPersistentSubscriptionConsumerStrategyFactories = null,
 			CertificateProvider certificateProvider = null,
-			//OptionsCertificateProvider certificateProvider = null,
 			TelemetryConfiguration telemetryConfiguration = null,
 			IExpiryStrategy expiryStrategy = null,
 			Guid? instanceId = null, int debugIndex = 0) {
@@ -1821,11 +1817,13 @@ public class ClusterVNode<TStreamId> :
 				return;
 			}
 
-			_certificateProvider = new OptionsCertificateProvider(options);
-
-			if (_certificateProvider?.LoadCertificates() == LoadCertificateResult.VerificationFailed){
+			var prevthumbprint = _certificateProvider.Certificate?.Thumbprint;
+			var temp = new OptionsCertificateProvider(options);
+			if (temp?.LoadCertificates(prevthumbprint) == LoadCertificateResult.VerificationFailed){
 				throw new InvalidConfigurationException("Aborting certificate loading due to verification errors.");
 			}
+
+			_certificateProvider = temp;
 		}
 
 		private static void EnsureNet5CompatFileStream() {